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Abstract 

In  this  paper  we  discuss  why  message  acknowledgements  are  an  appropriate 
engineering  approach  to  meet  system  functionality.  The  data  replication  problem 
in  database  systems  is  our  motivation.  We  introduce  a  new  queueing  theoretic 
model,  the  MIMO  model,  that  incorporates  burstiness  in  the  sending  side  and  busy 
periods  in  the  receiving  side.  Based  on  simulation  results  derived  from  this  model, 
we  show  that  the  buffer  requirements  from  M/M/I/N  queues  are  too  optimistic. 
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1  Introduction 


In  [6,  9]  Kang  and  Moskowitz  described  a  method  for  reliable,  high  performance  commu¬ 
nication  between  a  low  security  class  (Low)  and  a  high  security  class  (High)  by  means 
of  the  NRL  Pump  concept,  or,  more  simply  put,  the  Pump.  Initially  we  developed  the 
Pump  as  a  communications  interface  between  Low  and  High  in  NR.L’s  replicated  archi¬ 
tecture  database  project  SINTRA1  [7,  8].  Since  the  writing  of  [6,  9],  Kang,  Moskowitz, 
and  Lee  have  advanced  the  Pump  concept  to  deal  with  multiple  Lows  and  multiple 
Highs  [10]. 

The  Pump  uses  message  ACKs  for  reliability  of  communication  between  Low  and 
High.  While  these  ACKs  form  a  covert  channel  from  High  to  Low,  the  probabilistic 
nature  of  the  Pump  ACKs  keeps  channel  capacity  within  specified  bounds  without 
penalizing  performance.  Also,  the  Pump  uses  a  “handshake”  protocol  so  Low  does  not 
send  a  new  message  until  the  previous  message  has  been  ACKed2.  Thus,  the  Pump  also 
uses  ACKs  for  flow  control  by  slowing  down  message  arrivals  at  an  intermediary  buffer 
between  Low  and  High. 


Figure  1:  The  Pump 


McDermott  presented  work  on  the  big  buffer  [13]  as  a  Pump  alternative.  We  are 
taking  this  opportunity  to  further  contrast  the  Pump  approach  with  his. 


1.1  Why  acknowledge? 

This  question  might  better  be  phrased  as — Why  not  acknowledge?  We  believe  that  the 
burden  of  proof  is  upon  those  who  advocate  not  using  ACKs.  The  standard  in  computer 
communications  is  to  use  ACKs.  Of  course,  when  we  add  security  to  the  picture  we  have, 
the  problem  that  ACKs  can  cause  an  illicit  information  flow.  Thus,  the  standard  use  of 
ACKs  must  somehow  be  modified.  The  ACKs  give  us  the  reliability  that  our  message 

1  Secure  Information  Through  Replicated  Architecture. 

2  The  Pump  uses  timeout  for  the  NAK. 
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has  been  safely  received  by  High.  Even  if  the  transmission  medium  insured  100%  error 
free  transmission  (fiber  optics  come  close  [2] ),  errors  can  occur  in  the  systems  themselves. 
How  does  Low  know  that  High  is  ready  to  receive  messages?  How  does  Low  know  that 
a  message  arrived  at  High?  These  are  just  some  of  the  reliability  issues  that  concern  us. 
Therefore,  there  must  be  some  ACK/NAK  passed  from  High  back  to  Low. 

The  ACKs  may  also  be  used  for  flow  control  (as  in  the  Pump).  In  this  paper  we  will 
not  discuss  reliability  issues  in  detail.  Instead,  we  focus  on  one  particular  objection  we 
have  to  ACK-free  transmission;  that  of  buffer  management  (size)  under  the  paradigm 
of  no  ACKs.  Buffer  size  is  very  important  because  of  different  “rates”  between  Low  and 
High  (High’s  ability /inability  to  receive  messages  can  cause  buffer  overflow  under  the 
no-ACK  paradigm). 


1.2  Motivation:  Replicated  Architecture  Database 

The  SINTRA  approach  uses  physical  separation  and  data  replication  as  the  primary 
protection  mechanisms  for  a  database  system  that  provides  both  high  assurance  and 
multilevel  security.  Low  level  data  is  replicated  in  the  high  level  DBMS  so  it  will  be 
available  to  high  level  users.  Thus,  messages  must  pass  from  Low  DBMS  to  High  DBMS, 
as  shown  in  figure  2. 


Low  DBMS  High  DBMS 


Figure  2:  The  SINTRA  Architecture 

DBMSs  and  Replication  servers  are  reliable  and  recoverable.  However,  the  “secure 
device”  in  figure  2  may  or  may  not  be  reliable.  Not  satisfied  with  read-down3  nor 

3 Similar  to  blind  write-up,  see  [6,  9]  for  a  discussion. 
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blind  write-up  (discussed  in  section  1.3),  which  do  not  provide  reliability,  we  developed 
the  Pump  as  a  secure  device.  Since  DBMS,  replication  server,  and  the  Pump  provide 
reliability  and  recoverability,  the  whole  data  replication  path  becomes  reliable  and  re¬ 
coverable. 

Let  us  consider  DBMSs  (i.e.,  Low  and  High).  Sometimes,  Low  DBMS  has  lots  of 
data  to  send  within  a  short  period  of  time  (e.g.,  sending  large  updates).  During  some 
other  periods  of  time,  Low  DBMS  has  very  little  data  to  send  (i.e.,  Low  has  bursty  and 
normal  periods).  The  same  situation  may  apply  to  high  DBMS  (e.g.,  during  some  period 
of  time  many  users  are  active,  thus  High  may  be  in  a  busy  state).  Hence,  High  may 
have  normal  and  busy  periods4.  To  model  this  situation,  as  we  will  show,  an  M/M/1 
queueing  model  is  not  adequate. 


1.3  Blind  write-up  (no  ACK  transmission) 


Figure  3:  Blind  Write-Up 


Other  approaches,  e.g.,  [2,  13]  or  [1,  section  5.3],  also  use  an  intermediary  buffer  between 
Low  and  High,  but  keep  current  High  activity  from  being  reflected  down  to  Low 
([2],  [1,  section  5.3]  does  allow  a  flow  down  in  case  of  buffer  saturation).  Obviously, 
these  approaches  have  no  covert  channels  (unless  l  lie  buffer  is  saturated  often).  We 
refer  to  these  approaches  as  the  “blind  write-up”  approaches  since  they  do  not  let  Low 
have  ACKs.  However,  these  models  offer  no  assurance  that  a  message  was  successfully 
transmitted  and  they  do  not  offer  flow  control.  McDermott’s  [13]  (big)  buffer  sends 
ACKs  down  to  Low  when  a  message  has  been  successfully  placed  in  a  buffer  between 
Low  and  High.  If  the  buffer  is  full,  the  new  message  will  overwrite  an  old  message. 
His  model  rests  on  the  assumption  that  a  large  enough  buffer  can  be  chosen  so  that 
the  probability  of  a  message  being  overwritten  before  it  has  been  serviced  by  High  is 
negligible.  Note  that  we  still  consider  McDermott’s  method  in  the  no- ACK  (blind  write¬ 
up)  class  because  his  buffer  ACKs,  unlike  the  Pump’s,  do  not  mimic  true  ACKs  from 
High  to  Low.  Goldschlag  [2,  section  3],  [1,  section  5.3]  places  a  (big)  buffer  between 

4An  analogy  is  how  an  office  building  elevator  services  waiting  people  at  2:00  pm  and  at  5:30  pm. 
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Low  and  High,  but  a  new  message  will  overwrite  an  old  message  if  the  buffer  saturates. 
However,  downgraders  can  be  added  [2,  section  4],  to  send  a  warning  to  Low  if  the  buffer 
becomes  full.  Without  this  warning,  Low  does  not  moderate  the  message  arrival  rate  at 
the  buffer.  The  Pump,  however,  reduces  the  rate  of  arrivals  from  Low  to  the  buffer  so 
that  Low’s  input  rate  roughly  matches  that  of  High’s  output  (service)  rate.5  In  contrast, 
these  blind  write-up  models  assume  that  (1)  Low  can  successfully  transmit  a  message 
to  the  buffer,  and  (2)  a  sufficiently  large  buffer  can  queue  up  enough  messages  going  to 
High,  so  that  no  messages  are  lost;  thus,  blind  write-up  assumes  messages  successfully 
travel  from  Low  to  High.  We  strongly  take  exception  to  this.  We  feel  that  Low  must 
know  that  its  message  got  to  High  for  reliability  and  flow  control  (which  is  itself  a  part 
of  reliability). 

McDermott  [13]  was  the  first,  in  the  security  community,  to  perform  a  serious  queue¬ 
ing  theoretic  analysis  of  buffer  management.  He  used  an  M/M/1  based  model  for  his 
analysis.  This  model  is  not  sufficiently  rich  to  incorporate  burstiness  [5,  4,  12,  14,  16] 
and,  aside  from  reliability  issues,  M/M/1  gives  too  optimistic  estimates  of  sufficient 
buffer  size.  Note  that  Goldschlag  also  assumes  that  a  properly  sized  buffer  can  be  used. 
The  communications  community  has  done  bursty  analysis  (on  the  transmitter  end)  by 
using  a  Markov  Modulated  Poisson  Process  (MMPP)  [5],  or  Lo-Hi/On-Off  type  models 
[12,  16].  They  have  obtained  closed  form  solutions  for  various  terms  of  interest  (such 
as  mean  queue  size  [16]  ).  To  a  communications  engineer,  lost  messages  are  not  a  prob¬ 
lem  because  there  is  always  some  high  layer  (with  respect  to  the  ISO  layering  scheme) 
ACK  to  let  the  sender  know  that  a  message  was  lost  or  garbled  and  that  it  should  be 
retransmitted.  Since  knowing  if  messages  are  lost  (and  therefore  unrecoverable)  rather 
than  closed  form  solutions  is  our  concern,  the  MMPP  does  not  convey  enough  detail  for 
our  needs  because  it  does  not  take  High’s  behaviour  into  account.  Therefore,  we  have 
extended  the  model. 

The  main  contribution  of  this  paper  is  our  discrete  extension  of  MMPP/G/1  type 
queues,  to  the  Modulated- Input  Modulated-Output  (MIMO)  model.  Our  studies  of  the 
MIMO  model  have  only  reinforced  our  belief  that  unacknowledged  transmission  from 
Low  to  High  is  unacceptable  because  the  MIMO  model  shows  that  no  matter  what 
size  buffer  is  used  it  is  always  possible  to  find  an  example  where  the  Low  rate  is  less 
than  the  High  rate  but  the  buffer  will  still  fill.  We  assume  that  each  message  sent 
from  Low  to  High  is  important.  This  need  not  be  the  case  if  we  are  sending  video  or 
voice,  for  example,  but  it  is  certainly  the  case  for  many  types  of  data  transfers,  e.g. 

5Input  and  output  are  relative  to  the  buffer. 
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database  updates,  file  transfers,  etc.6  Further,  if  our  input  rate  is  quite  slow,  there  is  no 
appreciable  covert  channel  threat  so  the  timing  of  acknowledgements  is  a  non-issue  (e.g., 
use  the  Pump  or  just  send  the  raw  ACK  stream  down  to  Low).  Therefore,  the  Pump  is 
a  good  answer  for  sending  data  messages  from  Low  to  High  in  a  general  situation. 


2  Queuing  theoretic  models 

For  the  rest  of  this  paper,  we  will  concentrate  on  only  one  of  our  objections  to  blind 
write-up;  that  of  buffer  management — what  is  the  probability  that  a  buffer  of  size  N  will 
overflow  under  realistic  input/arrival  and  output/service  assumptions.  As  before,  this 
is  not  to  say  that  the  general  reliability  issues  are  not  of  interest  to  us.  Rather,  the  goal 
of  this  paper  is  to  introduce  a  new  formal  model  so  that  questions  of  burstiness  can  be 
quantitatively  studied. 

The  queueing  models  will  describe  how  our  message  traffic  behaves.  We  show  that 
under  our  MIMO  model,  messages  will  be  lost  because  there  is  nowhere  to  put  them  if 
they  are  sent  too  fast.  Therefore,  something  must  be  done  to  moderate  traffic  flow. 

TRANSMITTER  ->  BUFFER  ->  RECEIVER 

Above  is  our  transmission  model.  The  transmitter  (input)  sends  messages  to  the 
buffer.  The  buffer  size  is  the  number  of  messages  that  the  buffer  can  hold.  Every 
message  is  of  the  same  size  and  all  transmission  times  are  zero.  Messages  arrive  at  the 
buffer  from  the  transmitter.  The  receiver  (output)  services  messages  from  the  buffer. 
When  we  use  the  term  rate,  we  mean  the  total  number  of  messages  divided  by  the  total 
time  for  the  arrival  or  servicing  of  the  messages.  Rates  have  units  of  messages  per  time 
unit.  Messages  arrive  at  the  buffer  from  the  transmitter  at  an  input  rate  denoted  by  A 
and  the  receiver  services  them  at  the  output  rate  //.  The  dimensionless  quantity  ^  is 
extremely  important  to  queue  size. 

6This  is  not  the  case  for  data  transfers  that  are  constantly  updated,  such  as  sensor  reports  that  are 
sent  every  few  seconds. 
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2.1  M/M/1  model 


As  mentioned  earlier,  the  first  work  on  the  write-up  problem  to  apply  queueing  theory 
seriously  is  in  [13],  where  an  M/M/l/N  queue  is  used  for  the  model.  This  is  a  queue  with 
a  Poisson  arrival  process  and  exponential  service  times.  The  N  signifies  that  the  buffer 
is  of  finite  size  N,  unlike  the  standard  M/M/1  queue  which  has  an  infinite  buffer.  The 
average  (exponentially  distributed)  interarrival  time  is  1/A  which  uniquely  determines 
the  Poisson  process.  The  average  (exponentially  distributed)  service  time  is  1/ p.  The 
term  pk  is  the  steady  state  probability  that  there  are  k  messages  in  the  buffer.  For  an 
M/M/1  queue  pk  exists  if  and  only  if  <  1;  this  is  the  ergodic  condition.  The  analysis 
in  [13]  is  done  only  for  ^  <  1.  However,  for  an  M/M/l/N  queue  the  condition  on  can 
be  relaxed  to  be  any  positive  value.  This  is  because  pu  =  0  for  k  >  iV,  and  thus  the 
ergodic  condition  is  trivially  met  (e.g.,  finite  birth-death  process). 

In  [13],  if  a  message  arrived  at  a  full  buffer,  the  new  message  overwrote  a  message 
that  was  already  in  the  buffer.  Which  message  is  overwritten  is  not  specified  and  is 
left  as  a  design  parameter.  Communications  engineers  study  the  probability  of  blocked 
or  turned-away  messages  —  mathematically,  this  is  identical  to  overwritten  messages, 
therefore  we  will  just  use  the  term  “lost”  messages.  In  [13],  it  is  noted  that  for  ~  <  1 
and  bounded  away  from  1  that  the  probability  of  the  buffer  being  full  can  be  made 
as  small  as  desired  by  choosing  a  very  moderately  sized  buffer.  We  take  no  exception 
to  the  M/M/l/N  analysis  for  /)  <<  1.  However,  we  also  find  it  instructive  to  look  at 
unrestricted  first  in  terms  of  the  mathematical  analysis,  second  to  consider  buffer  size, 
third  to  look  at  the  assumptions  in  terms  of  physical  reality,  and  fourth  as  motivation 
for  our  bursty  analysis. 

As  noted,  the  (steady  state)  probability  that  the  buffer  is  full  is  the  same  as  the 
(steady  state)  probability  of  a  message  being  lost.  The  derivation  for  this  can  be  found 
in  [15,  3]  and  is: 


1  - 


Pn  = 
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-f  ,  for  1  >  0  . 
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Provided  that  -  <  1  we  see  that7 
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Thus,  as  in  [13],  for  A  <  .95  a  buffer  of  size  less  than  1000  will  suffice  to  keep  p jv 
extremely  small.  As  long  as  A  <  1  two  facts  are  true:  (1)  For  fixed  p jv  decreases  as 
N  — >  oo,  and  (2)  pjy  can  be  made  as  small  as  desired  by  letting  N  grow. 

However,  as  A  — »  1_  the  necessary  buffer  size  also  grows  for  fixed  p jy.  Obviously,  if 
we  always  input  at  a  rate  that  is  greater  than  or  equal8  to  the  output  rate  our  system  will 
either  lose  many  messages  (or  grind  to  a  halt).  However,  what  if  there  are  periods  when 
this  is  true?  Is  our  system  robust  enough  to  tolerate  these  bursts  of  input  activity? 
If  there  is  no  feedback  from  High  to  Low,  what  is  to  prevent  Low  from  temporarily 
sending  messages  faster  than  High  can  handle  them?  If  our  system  is  designed  along 
an  M/M/l/N  type  model  we  argue  that  we  may  be  in  serious  trouble  with  respect  to 
dropped/lost  messages.  So  let  us  study  the  cases  where  A  >  1  might  hold  for  some 
period  of  time.  We  analyze  the  situation  where  X/p  >  1,  in  the  M/M/l/N  model.  This 
might  not  reflect  the  steady  state  behaviour  of  our  Low-to-High  system  but  it  might 
represent  either  (1) — a  large  transient  (bursty)  period,  large  enough  so  that  steady 
state  probabilities  are  locally  achieved,  or  (2) — the  results  from  the  accumulation  of 
many  bursty  periods  causing  buffer  congestion. 

If  the  rates  are  equivalent  then  the  buffer  required  to  ensure  no  overwritten  messages 
is  in  fact  quite  large.  When  X  =  p,  by  using  L’Hopital’s  rule,  we  see  that  N  =  ^  —  1. 
So  for  A  =  p  the  buffer  size,  less  one,  is  the  inverse  of  the  desired  p jy.  Therefore,  a  buffer 
of  size  1000  will  suffice  if  one  is  willing  to  accept  a  probability  of  a  lost  message  of  .001. 

Let  us  analyze  the  situation  where  A / p  >  1.  Note  that  for  A  >  p: 


Pn 


1  - 


1  -  ($)N+1 


A  1 


1 


(  A  )JV+1 


> 


i  -  (A ip)-1  >  o . 


Similar  to  the  situations  when  A  <  1,  we  see  that  for  A  >  pN  decreases  as  N  — >  oo, 
but  when  A  >  pN  does  not  approach  zero,  the  smallest  pjy  can  ever  be  is  1  —  (A / p)~r  ■ 

7For  A  >  1  we  will  show  later  that  N  cannot  be  solved  for  arbitrary  »jv- 

8Since  arrivals  are  probabilistic,  not  deterministic,  equal  rates  can  still  cause  problems. 
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For  example,  if  -  =  1.1,  then  we  will  lose  at  least  9.1%  of  the  transmitted  messages  on 
average.  It  is  certainly  not  surprising  that  if  we  send  more  into  the  buffer  than  what 
can  be  serviced,  messages  will  be  lost. 

We  must  make  an  effort  to  model  burstiness.  In  those  periods  when  Low  is  faster 
than  High,  how  do  we  know  that  messages  are  not  overwritten?  Even  if  we  accept  the 
M/M/1  queue  as  being  an  accurate  model  of  reality  (which  we  do  not),  if  the  ratio  A//r 
hovers  around  1“,  the  probability  of  a  message  being  lost  can  be  quite  large.  All  of  this 
aside,  we  are  still  faced  with  the  fact  that  the  M/M/1  queue  does  not  take  burstiness 
into  account.  The  Poisson  process  of  rate  A  has  as  one  of  its  main  assumptions  that  the 
probability  of  exactly  one  arrival  in  the  interval  [t,  t  +  dt]  is  A dt  [15].  This  certainly  does 
not  imply  deterministic  arrival.  It  is  not  proper  to  call  this  burstiness;  rather,  this  is  a 
fixed  probabilistic  behaviour.  Bursty  behaviour  does  not  obey  this  Poisson  assumption 
in  that  a  fixed  A  cannot  be  assigned  to  the  probability  of  exactly  one  arrival  in  the 
interval  [t,t  +  dt].  Therefore,  we  propose  an  alternative  to  the  M/M/1/  based  models 
that  incorporates  burstiness. 


2.2  The  MIMO  Model 

We  have  discussed  why  the  M/M/1  model  does  not  model  burstiness.  We  have  shown 
the  impact  of  the  input  rate  being  faster  than  the  output  rate — something  that  could 
happen  for  certain  periods  of  the  system.  Therefore,  we  present  a  new  model,  which  has 
the  M/M/1  model  as  a  special  case.  Our  model  is  based  upon  current  research  in  the 
computer  communications  community.  The  basic  premise  is  that  the  system  oscillates 
between  certain  bursty  and  non-bursty  periods. 

Our  model  is  based  on  the  MMPP  [5];  this  is  a  fundamental  paper  for  dealing  with 
burstiness.  The  MMPP  only  applies  to  the  transmitter  (Low  in  our  case).  Instead  of 
message  arrivals  being  a  Poisson  process  (as  in  the  M/M/1  model),  the  transmitter 
oscillates  between  two  states,  each  state  sends  messages  in  a  Poisson  process,  and  the 
state  changes  are  determined  by  a  continuous-time  Markov  process  with  fixed  mean 
sojourn  times  for  each  state.  The  two  states  represent  the  normal  and  the  bursty 
behaviour  of  the  transmission  process. 

For  our  purpose,  we  find  the  MMPP  lacking  because  it  does  not  take  receiver  (High) 
behaviour  into  account.  Thus,  we  wish  to  also  model  High  as  oscillating  between  two 
states:  a  normal  state  and  a  busy  state.  The  MMPP  considers  continuous  state  changes, 
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our  model  assumes  that  state  changes  only  take  place  at  certain  constant  time  incre¬ 
ments,  called  “frames”. 

Therefore,  our  state  changes  are  given  by  a  (discrete)  Markov  chain.  We  base  our 
conclusions  concerning  buffer  congestion  on  a  computer  simulation  of  the  MIMO  model. 


2.2.1  Low:  Modulate  Input 


1-p 


P 


q 


Figure  4:  Low  as  a  Markov  chain 


Mi  = 


P 

1  -  q 


1  —  p 

(1 


Low’s  transmission  is  given  by  a  2-state  Markov  chain.  In  every  frame  (a  fixed 
number  of  time  units)  we  determine  which  state  we  are  in  according  to  the  transition 
matrix  Mi.  In  the  first  or  normal  state  Sn,  Low  transmits  messages  that  arrive,  via 
a  Poisson  process  of  rate  In  the  second  or  bursty  state  ,5'&,  arrivals  are  a  Poisson 
process  of  rate  A &. 

The  steady  state  probability  for  the  normal  state  is  II  n  =  2-~p-q  •  The  steady  state 
probability  for  the  bursty  state;  is  Ilf,  =  ■  We  see  then  that  the  (global)  arrival 

rate,  denoted  by  A,  is  A  =  IInAn  +  II&A&.  Once  the  Markov  chain  has  entered,  in  the 
steady  state,  Sn  the  number  of  frames  that  it  stays  in  that  state  is  given  by  a  geometric 
random  variable  with  parameter  1  —  p.  The  mean  of  this  geometric  random  variable  is 
corresponding  to  the  mean  sojourn  time  in  the  continuous  MMPP  (similarly  for  ,5'&). 
Thus  we  see  that  the  Low  end  is  just  a  “discretized”  MMPP  with  large  mean  sojourn 
times. 
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2.2.2  High:  Modulated  Output 


1-  p 


Figure  5:  High  as  a  Markov  chain 


High’s  servicp  times  are  similarly  given  by  a  2-state  Markov  chain.  In  every  frame 
(Low  and  High  frames  are  synchronized),  we  determine  which  state  we  are  in  according 
to  the  transition  matrix  Mh-  In  the  first  or  normal  state  ,5'-,  High  services  messages  by 
an  exponential  distribution  with  parameter  (inverse  of  the  mean)  /<-.  In  the  second  or 
busy  state  ,5'y,  messages  are  exponentially  serviced  at  a  slower  rate  /<y9. 

The  steady  state  probability  for  the  normal  state  is  n-  =  yz=^=-  The  steady  state 
probability  for  the  bursty  statp  is  =  2]z T_.  Note  that  the  (global)  service  rat#;  is 

n-/<-  t  i  i~/t  • 

2.3  Low  &:  High  together 

In  the  MIMO  model  we  assume  that  Low  is  transmitting  to  High  and  messages  are 
queued  in  a  buffer  until  High  can  service  them,  and  that  Low  and  High  behave  as  the 
2-stat@  Markov  chains  described  above10.  Low  and  High  are  independent11  in  our  model 
because  Low’s  bursty  and  High’s  busy  periods  cannot  be  controlled.  Therefore,  the 

9 Ther.f  is  a  slight  idealization  for  mathematical  simplicity  because  service  times  cannot  change  < me* 
they  have  been  chosen.  However,  as  long  as  the  frame  size  is  large  in  comparison  to  the  mean  service 
times,  the  difference  is  negligible. 

10There  is  no  requirement  that  p  +  q  =  1  or  p+q  =  1.  The  relationship  between  the  probabilities 
determines  correlations  between  the  states.  In  our  simulations  we  used  correlated  states. 

11  Thus  we  have  described  the  MIMO  model  as  a  queueing  model,  which  we  denote  as  Mi/Mo/l/N, 
for  modulated  input,  modulated  output/service,  single  server,  and  finite  buffer  of  size  N. 
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MIMO  model  consists  of  a  four  state  Markov  chain: 


Sn>n  Low  normal,  High  normal 
Sn  Low  normal,  High  busy 
Sb,n  Low  bursty,  High  normal 
Sb  Low  bursty,  High  busy 

Where  Snj-  is  the  state  where  Low  is  in  its  normal  state,  and  High  is  in  its  normal  state, 
etcy 


Figure  6:  MIMO  model 


PP  p(l  —  p)  (1  —  p)p  (1  —  p)(l  —  p) 

p{l-q)  pq  {l-p){l-q)  (1  -  p)q 

(f  -  q)p  (i-?)(i-p)  (1P  ff(l-F) 

(f -?)(!-?)  (i  -q)q  qq 

The  four  states  transit,  every  frame,  via  the  matrix  M. 

We  have  the  four  steady  state  probabilities  that  are  obtained  by  multiplying  the  Low 
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end  and  High  end  steady  state  probabilities  together.  This  is  valid  because  the  Low  and 
High  ends  are  independent. 


hi  n:n 

= 

hi  b,n  — 
nM  = 


-  / 


1~? 

2 -P~qj  \2-p-q 
1 ~Q  \  l  1 -V 


2—p—q )  \2-p-q 

1 -v  \  (  i -g 


2-p-qJ  \2-p-q 
1 -V  \  (  1 -v 


2-p-qJ  \2-p-q 


The  term  A  from  the  Low  end  and  p  from  the  High  end  let  us  form,  as  in  the  M/M/1 
queue,  the  ratio  X/ p.  We  will  simulate  the  MIMO  model  under  certain  buffer  sizes  and 
see  how  many  messages  get  lost  in  transmission  when  ^  <  1. 


2.4  Simulation  results  of  the  MIMO  model 

Below  we  present  a  table  summarizing  some  of  our  simulation  results  of  the  MIMO 
model  versus  the  M/M/l/N  model.  Our  simulation  was  done  on  a  Sparc20  using  the 
MODSIM  package.  The  theoretical  steady  state  probabilities  and  mean  arrival  and 
service  rates  matched  our  simulation  results  for  the  same  statistics.  Thus,  even  though 
we  do  not  have  MIMO  theoretical  results  for  lost  message  percentages  we  feel  that  our 
simulations  are  accurate. 

We  present  only  a  small  subset  of  our  runs.  We  use  a  frame  size  of  10.  The  runs  that 
we  discuss  were  chosen  to  show  the  danger  of  assuming  results  about  lost  messages  by 
just  studying  the  ratio  of  A  to  p.  We  do  not  claim  that  the  MIMO  model  is  an  accurate 
representation  of  reality.  What  we  do  claim  is  that  the  M/M/l/N  model  is  not  a  good 
model  of  reality  if  the  system  behaves  in  a  bursty  manner  and  that  assumptions  of  lost 
messages  can  be  misleading  and  dangerous.  For  a  bursty  system  we  feel  that  the  MIMO 
model  is  a  better  model  of  reality  than  the  M/M/l/N  model. 

The  first  table  compares  the  M/M/l/N  model  against  the  MIMO  model  for  a  buffer 
of  size  N  =  1000.  We  chose  1000  for  the  buffer  size  because  that  was  an  appropriate 
size  proposed  in  [13].  In  the  following  table  p  =  .70,  q  =  .30,  and  Xn  =  1.0.  We  let  A& 
take  on  the  values  31,51,61  to  result  in  X/ p  taking  the  values  of  .50, .80, .95  ,  respectively. 
High  was  fixed  at  p  =  .50  =  q,p—  =  30,  pj  =  10. 
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A 

U 

%  lost  in  M/M/1 

%  lost  in  MIMO 

.50 

0+% 

.04% 

.80 

0+% 

7.5% 

.95 

0+% 

15.6% 

Simulation:  Buffer  size  1000  High:  p  =  .50  =  q,  p—  =  30,  pj  =  10 

The  simulation  gave  us  no  messages  lost  for  the  M/M/l/N  queue.  However,  all  of 
the  theoretical  M/M/l/N  lost  percentages  are  infinitesimally  small,  but  still  non-zero. 
This  is  why  we  used  the  notation  0+.  We  see,  in  the  MIMO  model,  unsurprisingly,  that 
as  ^  — >  1~  the  percent  of  lost  messages  increases.  What  is  surprising  is  that  for  Low 
sending  at  half  the  rate  that  High  is  servicing,  a  non-trivial  amount  of  messages  can  still 
be  lost. 

We  increased  the  buffer  size  by  an  order  of  magnitude  and  still  had  lost  messages 
for  the  MIMO  model  as  shown  below.  We  did  have  to  increase  X/p  to  .995  to  get  a 
significant  amount  of  lost  messages. 


P 

^ n 

q 

h 

A 

U 

%  lost  in  M/M/1 

%  lost  in  MIMO 

.70 

2 

.30 

128 

.995 

0+% 

6.2% 

Simulation:  Buffer  size  10,000  High:  p  =  .50  =  q,  p—  =  60,  pj  =  20  . 


In  fact,  no  matter  what  size  buffer  is  used  we  could  always  come  up  with  a  MIMO 
example  with  ^  <  1,  such  that  messages  were  still  lost.  Further,  our  simulations  also 
showed  that  messages  were  lost  for  M/Mo/l/N  and  Mi/M/l/N  queues  when  ^  <  1. 
Of  course  one  could  insure,  up  to  a  high  probability,  that  messages  were  not  lost  by 
basically  using  a  buffer  on  the  order  of  magnitude  of  the  number  of  messages  sent.  But 
this  is  not  a  practical  engineering  solution.  The  point  of  this  is:  the  potential  for  bursty 
periods  on  the  Low  end  and  busy  periods  on  the  High  end  must  be  well  understood  before 
any  claims  of  buffer  management  can  be  made  if  one  does  not  have  flow  control. 

The  MIMO  model,  because  of  its  discrete  nature,  does  not  capture  as  much  of  the 
bursty  behaviour  as  the  continuous  time  MMPP.  Further,  there  are  some  who  argue 
that  all  of  these  models  are  far  from  reality  because  message  traffic  patterns  have  a 
fractal  (self-similar)  nature  to  them  [11,  14];  thus  the  simple  burstiness  modelled  in  the 
MIMO  model  may  be  far  from  reality  (but  it  is  still  better  than  M/M/1  which  has  no 
burstiness).  Therefore,  we  feel  flow  control  is  necessary  unless  one  can  be  sure  that  Low 
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is  always  slower  than  High.  We  feel  the  Pump,  via  its  ACK  stream  flow  control,  will 
let  Low  send  messages  as  fast  as  High  can  handle  them,  and  because  the  Pump  insures 
reliability  (none  of  the  blind  write-up  methods  do),  it  is  a  good  solution  to  the  write-up 
problem. 


3  Pump  scales  up,  does  blind  write-up? 

We  have  just  been  dealing  with  one  source  and  one  destination.  What  happens  when 
there  are  multiple  sources  and  multiple  destinations  in  a  network  environment  where  the 
number  and/or  rates  of  inputs  change  dynamically?  The  bandwidth  of  communication 
links,  transmission  speed,  and  processing  speed  are  all  limited.  In  a  network,  if  the  load 
of  data  traffic  offered  to  the  network  exceeds  its  capability,  some  of  the  load  must  be 
cut  fairly. 


Number  of  inputs  may  vary  dynamically 


Figure  7:  Simplified  view  of  fairness  problem 

In  a  network,  resources  are  often  shared  among  several  sessions.  Services  for  other 
sessions  can  potentially  be  disrupted  if  too  much  resource  is  allocated  to  one  particular 
session.  Therefore,  we  must  consider  denial  of  service  attacks. 

The  basic  idea  of  the  network  Pump  [10]  is  to  dynamically  control  input  rates  by 
attempting  to  “slave”  the  input  rates  to  a  moving  average  of  the  output  rates  (service 
rates)  by  moderating  the  ACK  rate  to  a  source.  In  this  way  thg  network  Pump  can 
achieve  fairness  and  prevent  denial  of  service  attacks  without  sacrificing  performance. 
The  simulation  results  in  [10]  support  our  claims. 
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The  blind  write-up  method  does  not  send  any  control  information  back  to  the  sources. 
Hence,  sources  neither  know  the  status  of  the  destination  (busy/alive?)  nor  can  they 
intelligently  control  their  input  rates.  We  would  be  interested  in  seeing  how  non-flow 
controlled  methods  deal  with  fairness  and  denial  of  service  in  the  network  environment. 


4  Conclusion 

This  paper  focused  on  the  consequences  of  sending  messages  from  Low  to  High  without 
flow  control.  We  showed  that  the  paradigm  of  “if  input  rate  is  less  than  output  service 
rate,  an  intermediary  buffer  can  be  used  to  insure  message  delivery”  is  too  optimistic. 

Historically,  (in  the  non-secure  world)  the  M/M/1  queue  has  been  used  when  we 
have  unlimited  buffer  resources.  In  reality,  buffer  size  is  limited,  so  if  there  is  burstiness 
from  the  input,  ACKs  can  be  used  to  prevent  message  loss.  However,  in  the  secure 
world  we  do  not  want  to  send  ACKs  from  High  to  Low,  but  the  consequences  will  be 
lost  messages.  Hence,  determining  the  queue  size  is  extremely  important  if  there  are  no 
ACKs.  The  M/M/l/N  model  has  been  used  to  find  the  adequate  buffer  size  under  the 
no-ACK  condition.  However,  the  M/M/l/N  model  is  far  from  reality.  In  this  paper  we 
introduced  the  MIMO  model  which  takes  burstiness  into  account.  We  showed  that  the 
queue  size  based  on  the  M/M/l/N  model  is  too  optimistic  through  simulation  results. 
The  MIMO  model,  which  has  4  states  (2  Low  and  2  High),  might  itself  not  accurately 
reflect  real  system  behavior.  But  it  is  a  sufficient  model  to  show  that  the  buffer  size 
analysis  based  on  the  M/M/l/N  model  is  too  optimistic  for  the  secure  world.  Even  if 
there  exist  buffers  of  sufficient  size  to  store  all  bursty  messages,  we  still  have  the  other 
very  important  reliability  issues  that  ACKless  based  schemes  do  not  sufficiently  address. 
Therefore,  the  ACKs  must  be  sent  to  Low. 
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